b' OFFICE OF INSPECTOR GENERAL\n                     Audit Report\n\n    Inspection of the Railroad Retirement Board\xe2\x80\x99s\nFinancial Interchange System Continuous Monitoring\n\n\n\n        This abstract summarizes the results of the subject audit. The\n        full report includes information protected from disclosure and\n        has been designated for limited distribution pursuant to\n        5 U.S.C. \xc2\xa7 552\n\n\n\n\n                      Report No. 12-08\n                     September 21, 2012\n\n\n\n\n   RAILROAD RETIREMENT BOARD\n\x0c                               REPORT ABSTRACT\n   Inspection of the Railroad Retirement Board\xe2\x80\x99s Financial Interchange System\n                              Continuous Monitoring\n\nThe Office of Inspector General (OIG) for the Railroad Retirement Board (RRB)\nconducted an inspection of the activities at the RRB for the continuous monitoring of the\nFinancial Interchange (FI) system to determine adherence with existing policy,\nprocedures, guidance, and standards. Because the FI system inherits many of its\ncontrols from the Agency Enterprise General Information Support System (AEGIS) this\ninspection also includes an evaluation of the continuous monitoring documentation\nprepared for the AEGIS system. This inspection will support the OIG\xe2\x80\x99s mandated fiscal\nyear (FY) 2012 Federal Information Security Management Act of 2002 evaluation.\n\nThe objective of continuous monitoring is to determine if the complete set of planned,\nrequired, and deployed security controls within an information system or inherited by the\nsystem continue to be effective over time. Continuous monitoring is an important\nactivity in assessing the security impact on an information system resulting from\nplanned and unplanned changes to the hardware, software, firmware, or environment of\noperation. In FY 2011, a contractor was hired by the RRB to plan and perform\ncontinuous monitoring of the controls over the RRB\xe2\x80\x99s FI and AEGIS systems.\n\nOur evaluation determined that activities conducted at the RRB for the continuous\nmonitoring process of the FI and AEGIS systems do not fully comply with existing\npolicy, procedures, guidance, and standards because evidence suggests that an\nineffective review process was performed over contractor deliverables. Therefore, we\nwill continue to cite the agency with a significant deficiency in the internal control\nstructure over the review of contractor deliverables associated with the risk\nmanagement framework. We made eleven detailed recommendations to RRB\nmanagement related to:\n\n   \xe2\x80\xa2   improving the controls over the review process for the continuous monitoring\n       deliverables received from the contractor and approved by the RRB;\n   \xe2\x80\xa2   allocating the necessary resources to allow for an effective review of the\n       continuous monitoring documentation; and\n   \xe2\x80\xa2   effectively managing and consistently updating the FI and agency-wide Plan of\n       Action and Milestones.\n\nAgency Management has agreed to take corrective actions for all recommendations.\n\n\n\n\n                                            1\n\x0c'